1. Field
The disclosure relates generally to attack graphs and more specifically to calculating a risk to a set of sensitive data objects, which correspond to a regulated service provided by a set of components comprising the regulated service, based on automatically generating a data-centric attack graph of nodes representing the set of components and propagating risk scores to related components along edge paths in the attack graph connecting related components.
2. Description of the Related Art
Today, many software applications access and/or process sensitive data, such as, for example, personal medical information or personal financial information, corresponding to individuals. However, many federal, state, and local laws regulate the accessing and processing of certain types of sensitive data corresponding to individuals. For example, federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gram-Leach-Bliley Act, include specific mandates regarding the use of sensitive data. For example, HIPAA provides data privacy and security provisions for safeguarding sensitive personal medical information of individuals. The Gram-Leach-Bliley Act controls the way financial institutions may use sensitive personal financial information of individuals. As a result, any entity, such as institutions, enterprises, businesses, companies, or agencies, which provides one or more services that access and/or process these types of sensitive data must be able to determine whether the sensitive data is at risk of attack or compromise and take corrective action to eliminate, reduce, or mitigate the risk.